We've moved! Come visit our new blog:

Blog Archive

Wednesday, October 29, 2008

Google moves towards single sign-on with OpenID

By Eric Sachs, Google Security Team

Currently users are required to create individual passwords for many websites they visit, but users would prefer to avoid this step so they could visits websites more easily. Similarly, many websites on the Internet have asked for a way to enable users to log into their sites without forcing them to create another password. If users could log into sites without needing another password, it would allow websites to provide a more personalized experience to their users.

In September we announced some research that we shared as part of an effort by the OpenID community to evaluate the user experience of federated login. Other companies like Yahoo have also published their user research. Starting today, we are providing limited access to an API for an OpenID identity provider that is based on the user experience research of the OpenID community. Websites can now allow Google Account users to login to their website by using the OpenID protocol. We hope the continued evolution of both the technical features of OpenID, as well as the improvements in user experience. will lead to a solution that can be widely deployed for federated login. One of the companies using this new service is www.zoho.com. Raju Vegesna at ZoHo says that "We now offer all our users the ability to login to ZoHo using their Google Account to avoid the need to create yet another login and password."

The initial version of the API will use the OpenID 2.0 protocol to enable websites to validate the identity of a Google Account user, including the optional ability to request the user's e-mail address. Below is an example of the flow that a user might see if he or she starts at a website that uses this new feature:

The website could use a modified login box that looks like the one below. If the user enters a Gmail address and indicates that he or she does not have a password for this site, then the site can redirect him or her to Google.

The user would then be taken to the Google website and asked to confirm whether he or she wants to sign in to KidMallPics.

Finally, the user would be redirected back to KidMallPics, where he or she would be immediately signed in.

Google is also working with the open source community on ways to combine the OAuth and OpenID protocol in the future. That way a website can not only request the user's identity and e-mail address, but can also request access to information available via OAuth-enabled APIs such as Google Data APIs as well as standard data formats such as Portable Contacts and OpenSocial REST APIs. In the future, this should allow a website to immediately provide a much more streamlined, personalized and socially relevant experience for users when they log in to trusted websites.

This is great news - congratulations and many thanks to the Google team working on this project.

Just like to point out though - OpenID is absolutely useless if each site just works as an authentication server but doesn't accept logins from other OpenID providers..... we're back where we started with a million different logins for a million different sites unless someone bites the bullet and lets users log in with accounts initially registered on a different OpenID server!

@nickJust about every popular and publicly-accepted technology is "out of sight". That is a sign of human-ready technology.

The end-user being unaware of OpenID is fine, as long as they are USING it.

@davidowens

Google's blogger accepts OpenID from any Provider. I don't think Yahoo has any sites that accept OpenID from ANYONE, yet. I believe you're confusing the concepts of "Provider" and "Relying Party".

@hongxiaowan

Yes, the power of OpenID is in the URL. It is important that a single URL is resolved to as the final destination of an OpenID. But using an e-mail identifier as a delegator to that URL drives adoption. The reason OpenID has so much momentum around it is because the true test of a federated login IS adoption, and the OpenID community is innovating in this area like no other federated solution has before it.

Oh gee, goodie, another OpenID provider. How about one of you big boys realizing that we don't want more providers, we want consumers. Let me loging to all my Google properties (not just blogger comments, then only thing I can tell Google allows external providers for) with my already existing, well established OpenID of choice.

No IDisposable and Stas, it's you two who don't understand. We DO need more OpenID providers! As a website developer, I want as many people to use my website as possible. Signing up for an account on my website - or any new website for that matter - is a hassle and people generally want to avoid that. A lot of people have a Google account, and if they can sign in with that then it's a huge win. Don't care whether I can sign in to Google with OpenID, I just want my users to be able to sign in with their Google account. Most users don't even know what OpenID is.

In my opinion, this looks like basically just another closed, tied-to-one-vendor authentication scheme that just happens to use OpenID internally.

I note that you expect anyone taking part not just to get your permission to use the service, but that they also ahve to hard-code a Google-specific URL and logic into their authentication code. That's hardly open or scalable.

If I went to that website, I would have no idea that I could log in with my OpenID account (which is NOT my e-mail address). Also, why would I give my e-mail address to a random website that I don't trust not to spam me.

This is not OpenID, it's a proprietary Google API that resembles OpenID in some of the implementation details, and is in fact pulling users away from a truly open system where they can have ANY identity server they like.

No doubt other e-mail address providers could also implement this system, but not all of them would, since it's not part of SMTP.

The big problem from my end as someone who runs a website is that I want to confirm that REAL people are joining the site, not just an email address. At the moment we have a large number of people joining from XYZ123@32784683246.cn, who are invariably spam merchants. Whilst I respect Google's efforts, and like the idea of OpenID, I'm still not going to accept a webmail address as proof of a "real" person.

I've found a great many sites where I've wanted to leave a comment, but didn't because of sign-up hassles....but I can' t remember which ones. Probably a sign that I didn't really need to that much. There's a balance between ease of sign-up and accountability, and at the moment the sheer hassle of an individual login seems to solve that perfectly. If you can't be bothered, you don't deserve to.

Hi :-) open ID solution sounds good, but what about security threat over here. Can I enter somebody else's google id and login? How we are addressing such issues? If user enters authentication details ( username & password) then how much its safe?

I can think of one solution. Tell how it could be if user can enter password which is visible ( normal text box rather than password box) , but still others can't login? :-)Do u like this solution ? :-)

Nice guys, but please allow reciprocity by allowing other open ID providers to sign us in for some google services (I can understand if gmail is a big no :). That'd be a great step towards unified login!

The point of OpenID is (among others) to forget about all the 1213234684 passwords you have to remember by reusing your OpenID identity. At the moment, you can create more and more OpenID, but not use them because so few services accept openid from other providers...

And Google is another example of this phenomenon! See the Ars article on this subject:http://arstechnica.com/news.ars/post/20081029-openid-being-balkanized-even-as-google-microsoft-sign-on.html

some sites already started to misuse the fecility and using these popular sites for authentication makes the users think that they have been recongnized by these standard sites. For example a site wants to sign up using gmail account, actually they are creating a newuser for their site and they can steal the address book of the person who is registering and misuse for tasks such as sending invitations. Recently i saw a site which even i dont select any of my friends for invitation in the wizard page, they sent it. beaware of so called 'facility' of using a singlew login

Google can allow a user to use signins from another provider. A common misconception is that google would have to allow registration-less signins. Google however could still require a user to create a registration and username with google and then allow users to link their openids to that registration, allowing them to login to the google account they register with the openid.

Well, this is something that we should expected - Google become more and more monopolist, at start they respected standarts, but now, in full power, they can an will drop any "that pesky recommendations".Now Microsoft, lol

What happens with the example site if the user enters "user@yahoo.com" instead of "user@gmail.com"? Does the site need to know that yahoo also provides OpenID functionality? What if the user enters "user@someotherdomain.com"? Which might well be an OpenID provider but obviously for the sake of this example the site doesn't have prior knowledge of that functionality.

Is google proposing a standard way to convert any email address into a format suitable for OpenID? If I wanted to support this, would I convert user@gmail.com into http://user@gmail.com/ and similarly user@someotherdomain.com into http://user@someotherdomain.com/?

What I don't like about this solution is that Google teaches people to leave our gmail-address at every other site. And the fact that there is a password field there aswell, chances are that people will easily be fooled to enter their gmail-password as well. If this is a spoof site, it now has total access to your gmail-account...:/

This is a great development for OpenID, and more importantly for the websites and end users that can benefit from faster and easier registrations and logins using existing accounts with Google, Yahoo, AOL, and many other OpenID providers.

JanRain's RPX (http://www.janrain.com/products/rpx) OpenID website enabling service has already integrated and deployed support for Google's OpenID service. You can see a demo at www.velog.com.

You can also see some case studies of successful OpenID deployments with measurable benefits at: http://www.janrain.com/openid/casestudies

Anyway i think its also important to allow OpenID providers to sync data between each other like i can register to Google's OpenID using MSN's OpenID and all my info at MSN gets synced on Google then i can just use Google OpenID but if i change an info on Google OpenID, Google must sync back that info to MSN. It must be give and take auto-magically; of course it must available as an option to set it on and off like "tick here to autocast login spell" ^_^

Ok, so now how do I migrate my existing accounts to use my OpenID? For example, I already have accounts at Amazon, LinkedIn, Facebook, etc. I don't want to lose all my historic data just to use OpenID.

There are going to be problems with this. Primarily what will I login with if I go to a site that shows OpenID and Google Account Logins. I have used OpenID from Blogger to go to a site that only supports OpenID (not google account). Other sites only support Google Account (not OpenID). Now I found a site that I can login with my OpenID (from Blogger) or my Google Account. What am I supposed to do?? Google should just have figured out a way to implement the OpenID Blogger has and give it to users that don't have blogs. Maybe give them a blogspot page without necessarily having a blog. This would have been better for OpenID and for users.

Like many have already stated, this does not conform to OpenID standards because the ID should be a URL string, not email. I've already tried to add my Gmail "openID" to many sites that support openID but they all fail with an error stating that my email address is not a valid openID. It should not be the responsibility of each and every service provider to modify their apps because Google did not conform to specs. Unfortunately, most providers will adapt just because there are so many Gmail users but I'm disappointed about this implementation.

Thanks for this thread. I have been asked to implement OpenID on a number of services. Google's screwing with the standards confused the hell out of me as to what an OpenID actually was! Now I know that I am not alone in not knowing what my Google OpenID is (not). I am most disappointed in this Google and it confirms my the hate side of my relationship with you it just confirms that I need to be taking my and my clients services away from your servers.

Hmm, I can't see anything openid here. Seems like protocol is somehow similar but a pure openid implementation can't handle it.I see that the URI for all users is https://www.google.com/accounts/o8/idBut then that can't be used as identificator, because everybody with a google acc can login with it.So authentication module of the consumer/relay needs to have special logic to handle google auth.